首頁 > 軟體

如何在 Linux 上使用 tcpdump 命令捕獲和分析封包

2020-06-16 16:44:27

tcpdump 是一個有名的命令列封包分析工具。我們可以使用 tcpdump 命令捕獲實時 TCP/IP 封包,這些封包也可以儲存到檔案中。之後這些捕獲的封包可以通過 tcpdump 命令進行分析。tcpdump 命令在網路層面進行故障排除時變得非常方便。

tcpdump 在大多數 Linux 發行版中都能用,對於基於 Debian 的Linux,可以使用 apt 命令安裝它。

  1. # apt install tcpdump-y

在基於 RPM 的 Linux 作業系統上,可以使用下面的 yum 命令安裝 tcpdump

  1. #yum install tcpdump-y

當我們在沒用任何選項的情況下執行 tcpdump 命令時,它將捕獲所有介面的封包。因此,要停止或取消 tcpdump 命令,請鍵入 ctrl+c。在本教學中,我們將使用不同的範例來討論如何捕獲和分析封包。

 

範例:1)從特定介面捕獲封包

當我們在沒用任何選項的情況下執行 tcpdump 命令時,它將捕獲所有介面上的封包,因此,要從特定介面捕獲封包,請使用選項 -i,後跟介面名稱。

語法:

  1. #tcpdump-i {介面名}

假設我想從介面 enp0s3 捕獲封包。

輸出將如下所示,

  1. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  2. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  3. 06:43:22.905890 IP compute-0-1.example.com.ssh>169.144.0.1.39374:Flags[P.], seq 21952160:21952540, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 380
  4. 06:43:22.906045 IP compute-0-1.example.com.ssh>169.144.0.1.39374:Flags[P.], seq 21952540:21952760, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 220
  5. 06:43:22.906150 IP compute-0-1.example.com.ssh>169.144.0.1.39374:Flags[P.], seq 21952760:21952980, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 220
  6. 06:43:22.906291 IP 169.144.0.1.39374> compute-0-1.example.com.ssh:Flags[.], ack 21952980, win 13094, options [nop,nop,TS val 6580205 ecr 26164373], length 0
  7. 06:43:22.906303 IP 169.144.0.1.39374> compute-0-1.example.com.ssh:Flags[P.], seq 13537:13609, ack 21952980, win 13094, options [nop,nop,TS val 6580205 ecr 26164373], length 72
  8. 06:43:22.906322 IP compute-0-1.example.com.ssh>169.144.0.1.39374:Flags[P.], seq 21952980:21953200, ack 13537, win 291, options [nop,nop,TS val 26164373 ecr 6580205], length 220
  9. ^C
  10. 109930 packets captured
  11. 110065 packets received by filter
  12. 133 packets dropped by kernel
  13. [[email protected]~]#

 

範例:2)從特定介面捕獲特定數量封包

假設我們想從特定介面(如 enp0s3)捕獲 12 個封包,這可以使用選項 -c {數量} -I {介面名稱} 輕鬆實現。

  1. root@compute-0-1~]#tcpdump-c 12-i enp0s3

上面的命令將生成如下所示的輸出,

N-Number-Packsets-tcpdump-interface

 

範例:3)顯示 tcpdump 的所有可用介面

使用 -D 選項顯示 tcpdump 命令的所有可用介面,

  1. [root@compute-0-1~]#tcpdump-D
  2. 1.enp0s3
  3. 2.enp0s8
  4. 3.ovs-system
  5. 4.br-int
  6. 5.br-tun
  7. 6.nflog(Linux netfilter log (NFLOG)interface)
  8. 7.nfqueue(Linux netfilter queue (NFQUEUE)interface)
  9. 8.usbmon1(USB bus number 1)
  10. 9.usbmon2(USB bus number 2)
  11. 10.qbra692e993-28
  12. 11.qvoa692e993-28
  13. 12.qvba692e993-28
  14. 13.tapa692e993-28
  15. 14.vxlan_sys_4789
  16. 15.any(Pseudo-device that captures on all interfaces)
  17. 16.lo[Loopback]
  18. [[email protected]~]#

我正在我的一個 openstack 計算節點上執行 tcpdump 命令,這就是為什麼在輸出中你會看到數位介面、標籤介面、網橋和 vxlan 介面

 

範例:4)捕獲帶有可讀時間戳的封包(-tttt 選項)

預設情況下,在 tcpdump 命令輸出中,不顯示可讀性好的時間戳,如果您想將可讀性好的時間戳與每個捕獲的封包相關聯,那麼使用 -tttt 選項,範例如下所示,

  1. [[email protected]~]#tcpdump-c 8-tttt -i enp0s3
  2. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  3. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  4. 2018-08-2523:23:36.954883 IP compute-0-1.example.com.ssh>169.144.0.1.39406:Flags[P.], seq 1449206247:1449206435, ack 3062020950, win 291, options [nop,nop,TS val 86178422 ecr 21583714], length 188
  5. 2018-08-2523:23:36.955046 IP 169.144.0.1.39406> compute-0-1.example.com.ssh:Flags[.], ack 188, win 13585, options [nop,nop,TS val 21583717 ecr 86178422], length 0
  6. 2018-08-2523:23:37.140097 IP controller0.example.com.amqp > compute-0-1.example.com.57818:Flags[P.], seq 814607956:814607964, ack 2387094506, win 252, options [nop,nop,TS val 86172228 ecr 86176695], length 8
  7. 2018-08-2523:23:37.140175 IP compute-0-1.example.com.57818> controller0.example.com.amqp:Flags[.], ack 8, win 237, options [nop,nop,TS val 86178607 ecr 86172228], length 0
  8. 2018-08-2523:23:37.355238 IP compute-0-1.example.com.57836> controller0.example.com.amqp:Flags[P.], seq 1080415080:1080417400, ack 1690909362, win 237, options [nop,nop,TS val 86178822 ecr 86163054], length 2320
  9. 2018-08-2523:23:37.357119 IP controller0.example.com.amqp > compute-0-1.example.com.57836:Flags[.], ack 2320, win 1432, options [nop,nop,TS val 86172448 ecr 86178822], length 0
  10. 2018-08-2523:23:37.357545 IP controller0.example.com.amqp > compute-0-1.example.com.57836:Flags[P.], seq 1:22, ack 2320, win 1432, options [nop,nop,TS val 86172449 ecr 86178822], length 21
  11. 2018-08-2523:23:37.357572 IP compute-0-1.example.com.57836> controller0.example.com.amqp:Flags[.], ack 22, win 237, options [nop,nop,TS val 86178825 ecr 86172449], length 0
  12. 8 packets captured
  13. 134 packets received by filter
  14. 69 packets dropped by kernel
  15. [[email protected]~]#

 

範例:5)捕獲封包並將其儲存到檔案(-w 選項)

使用 tcpdump 命令中的 -w 選項將捕獲的 TCP/IP 封包儲存到一個檔案中,以便我們可以在將來分析這些封包以供進一步分析。

語法:

  1. #tcpdump-w檔名.pcap -i {介面名}

注意:副檔名必須為 .pcap

假設我要把 enp0s3 介面捕獲到的包儲存到檔名為 enp0s3-26082018.pcap

  1. [root@compute-0-1~]#tcpdump-w enp0s3-26082018.pcap-i enp0s3

上述命令將生成如下所示的輸出,

  1. [root@compute-0-1~]#tcpdump-w enp0s3-26082018.pcap-i enp0s3
  2. tcpdump: listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  3. ^C841 packets captured
  4. 845 packets received by filter
  5. 0 packets dropped by kernel
  6. [root@compute-0-1~]#ls
  7. anaconda-ks.cfg enp0s3-26082018.pcap
  8. [root@compute-0-1~]#

捕獲並儲存大小大於 N 位元組的封包。

  1. [root@compute-0-1~]#tcpdump-w enp0s3-26082018-2.pcap greater 1024

捕獲並儲存大小小於 N 位元組的封包。

  1. [root@compute-0-1~]#tcpdump-w enp0s3-26082018-3.pcapless1024

 

範例:6)從儲存的檔案中讀取封包(-r 選項)

在上面的例子中,我們已經將捕獲的封包儲存到檔案中,我們可以使用選項 -r 從檔案中讀取這些封包,例子如下所示,

  1. [root@compute-0-1~]#tcpdump-r enp0s3-26082018.pcap

用可讀性高的時間戳讀取包內容,

  1. [root@compute-0-1~]#tcpdump-tttt -r enp0s3-26082018.pcap
  2. reading fromfile enp0s3-26082018.pcap,link-type EN10MB (Ethernet)
  3. 2018-08-2522:03:17.249648 IP compute-0-1.example.com.ssh>169.144.0.1.39406:Flags[P.], seq 1426167803:1426167927, ack 3061962134, win 291, options
  4. [nop,nop,TS val 81358717 ecr 20378789], length 124
  5. 2018-08-2522:03:17.249840 IP 169.144.0.1.39406> compute-0-1.example.com.ssh:Flags[.], ack 124, win 564, options [nop,nop,TS val 20378791 ecr 81358
  6. 717], length 0
  7. 2018-08-2522:03:17.454559 IP controller0.example.com.amqp > compute-0-1.example.com.57836:Flags[.], ack 1079416895, win 1432, options [nop,nop,TS v
  8. al 81352560 ecr 81353913], length 0
  9. 2018-08-2522:03:17.454642 IP compute-0-1.example.com.57836> controller0.example.com.amqp:Flags[.], ack 1, win 237, options [nop,nop,TS val 8135892
  10. 2 ecr 81317504], length 0
  11. 2018-08-2522:03:17.646945 IP compute-0-1.example.com.57788> controller0.example.com.amqp:Flags[.], seq 106760587:106762035, ack 688390730, win 237
  12. , options [nop,nop,TS val 81359114 ecr 81350901], length 1448
  13. 2018-08-2522:03:17.647043 IP compute-0-1.example.com.57788> controller0.example.com.amqp:Flags[P.], seq 1448:1956, ack 1, win 237, options [nop,no
  14. p,TS val 81359114 ecr 81350901], length 508
  15. 2018-08-2522:03:17.647502 IP controller0.example.com.amqp > compute-0-1.example.com.57788:Flags[.], ack 1956, win 1432, options [nop,nop,TS val 813
  16. 52753 ecr 81359114], length 0
  17. .........................................................................................................................

 

範例:7)僅捕獲特定介面上的 IP 地址封包(-n 選項)

使用 tcpdump 命令中的 -n 選項,我們能只捕獲特定介面上的 IP 地址封包,範例如下所示,

  1. [root@compute-0-1~]#tcpdump-n -i enp0s3

上述命令輸出如下,

  1. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  2. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  3. 22:22:28.537904 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 1433301395:1433301583, ack 3061976250, win 291, options [nop,nop,TS val 82510005 ecr 20666610], length 188
  4. 22:22:28.538173 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 188, win 9086, options [nop,nop,TS val 20666613 ecr 82510005], length 0
  5. 22:22:28.538573 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 188:552, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 364
  6. 22:22:28.538736 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 552, win 9086, options [nop,nop,TS val 20666613 ecr 82510006], length 0
  7. 22:22:28.538874 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 552:892, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 340
  8. 22:22:28.539042 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 892, win 9086, options [nop,nop,TS val 20666613 ecr 82510006], length 0
  9. 22:22:28.539178 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 892:1232, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666613], length 340
  10. 22:22:28.539282 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 1232, win 9086, options [nop,nop,TS val 20666614 ecr 82510006], length 0
  11. 22:22:28.539479 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 1232:1572, ack 1, win 291, options [nop,nop,TS val 82510006 ecr 20666614], length 340
  12. 22:22:28.539595 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 1572, win 9086, options [nop,nop,TS val 20666614 ecr 82510006], length 0
  13. 22:22:28.539760 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 1572:1912, ack 1, win 291, options [nop,nop,TS val 82510007 ecr 20666614], length 340
  14. .........................................................................

您還可以使用 tcpdump 命令中的 -c-N 選項捕獲 N 個 IP 地址包,

  1. [root@compute-0-1~]#tcpdump-c 25-n -i enp0s3

 

範例:8)僅捕獲特定介面上的 TCP 封包

tcpdump 命令中,我們能使用 tcp 選項來只捕獲 TCP 封包,

  1. [root@compute-0-1~]#tcpdump-i enp0s3 tcp
  2. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  3. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  4. 22:36:54.521053 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 1433336467:1433336655, ack 3061986618, win 291, options [nop,nop,TS val 83375988 ecr 20883106], length 188
  5. 22:36:54.521474 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 188, win 9086, options [nop,nop,TS val 20883109 ecr 83375988], length 0
  6. 22:36:54.522214 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 188:552, ack 1, win 291, options [nop,nop,TS val 83375989 ecr 20883109], length 364
  7. 22:36:54.522508 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 552, win 9086, options [nop,nop,TS val 20883109 ecr 83375989], length 0
  8. 22:36:54.522867 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 552:892, ack 1, win 291, options [nop,nop,TS val 83375990 ecr 20883109], length 340
  9. 22:36:54.523006 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 892, win 9086, options [nop,nop,TS val 20883109 ecr 83375990], length 0
  10. 22:36:54.523304 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 892:1232, ack 1, win 291, options [nop,nop,TS val 83375990 ecr 20883109], length 340
  11. 22:36:54.523461 IP 169.144.0.1.39406>169.144.0.20.ssh:Flags[.], ack 1232, win 9086, options [nop,nop,TS val 20883110 ecr 83375990], length 0
  12. 22:36:54.523604 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 1232:1572, ack 1, win 291, options [nop,nop,TS val 83375991 ecr 20883110], length 340
  13. ...................................................................................................................................................

 

範例:9)從特定介面上的特定埠捕獲封包

使用 tcpdump 命令,我們可以從特定介面 enp0s3 上的特定埠(例如 22)捕獲封包。

語法:

  1. #tcpdump-i {interface-name} port {Port_Number}
  1. [root@compute-0-1~]#tcpdump-i enp0s3 port 22
  2. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  3. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  4. 22:54:45.032412 IP compute-0-1.example.com.ssh>169.144.0.1.39406:Flags[P.], seq 1435010787:1435010975, ack 3061993834, win 291, options [nop,nop,TS val 84446499 ecr 21150734], length 188
  5. 22:54:45.032631 IP 169.144.0.1.39406> compute-0-1.example.com.ssh:Flags[.], ack 188, win 9131, options [nop,nop,TS val 21150737 ecr 84446499], length 0
  6. 22:54:55.037926 IP compute-0-1.example.com.ssh>169.144.0.1.39406:Flags[P.], seq 188:576, ack 1, win 291, options [nop,nop,TS val 84456505 ecr 21150737], length 388
  7. 22:54:55.038106 IP 169.144.0.1.39406> compute-0-1.example.com.ssh:Flags[.], ack 576, win 9154, options [nop,nop,TS val 21153238 ecr 84456505], length 0
  8. 22:54:55.038286 IP compute-0-1.example.com.ssh>169.144.0.1.39406:Flags[P.], seq 576:940, ack 1, win 291, options [nop,nop,TS val 84456505 ecr 21153238], length 364
  9. 22:54:55.038564 IP 169.144.0.1.39406> compute-0-1.example.com.ssh:Flags[.], ack 940, win 9177, options [nop,nop,TS val 21153238 ecr 84456505], length 0
  10. 22:54:55.038708 IP compute-0-1.example.com.ssh>169.144.0.1.39406:Flags[P.], seq 940:1304, ack 1, win 291, options [nop,nop,TS val 84456506 ecr 21153238], length 364
  11. ............................................................................................................................

 

範例:10)在特定介面上捕獲來自特定來源 IP 的封包

tcpdump 命令中,使用 src 關鍵字後跟 IP 地址,我們可以捕獲來自特定來源 IP 的封包,

語法:

  1. #tcpdump-n -i {介面名} src {IP 地址}

例子如下,

  1. [root@compute-0-1~]#tcpdump-n -i enp0s3 src 169.144.0.10
  2. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  3. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  4. 23:03:45.912733 IP 169.144.0.10.amqp >169.144.0.20.57800:Flags[.], ack 526623844, win 243, options [nop,nop,TS val 84981008 ecr 84982372], length 0
  5. 23:03:46.136757 IP 169.144.0.10.amqp >169.144.0.20.57796:Flags[.], ack 2535995970, win 252, options [nop,nop,TS val 84981232 ecr 84982596], length 0
  6. 23:03:46.153398 IP 169.144.0.10.amqp >169.144.0.20.57798:Flags[.], ack 3623063621, win 243, options [nop,nop,TS val 84981248 ecr 84982612], length 0
  7. 23:03:46.361160 IP 169.144.0.10.amqp >169.144.0.20.57802:Flags[.], ack 2140263945, win 252, options [nop,nop,TS val 84981456 ecr 84982821], length 0
  8. 23:03:46.376926 IP 169.144.0.10.amqp >169.144.0.20.57808:Flags[.], ack 175946224, win 252, options [nop,nop,TS val 84981472 ecr 84982836], length 0
  9. 23:03:46.505242 IP 169.144.0.10.amqp >169.144.0.20.57810:Flags[.], ack 1016089556, win 252, options [nop,nop,TS val 84981600 ecr 84982965], length 0
  10. 23:03:46.616994 IP 169.144.0.10.amqp >169.144.0.20.57812:Flags[.], ack 832263835, win 252, options [nop,nop,TS val 84981712 ecr 84983076], length 0
  11. 23:03:46.809344 IP 169.144.0.10.amqp >169.144.0.20.57814:Flags[.], ack 2781799939, win 252, options [nop,nop,TS val 84981904 ecr 84983268], length 0
  12. 23:03:46.809485 IP 169.144.0.10.amqp >169.144.0.20.57816:Flags[.], ack 1662816815, win 252, options [nop,nop,TS val 84981904 ecr 84983268], length 0
  13. 23:03:47.033301 IP 169.144.0.10.amqp >169.144.0.20.57818:Flags[.], ack 2387094362, win 252, options [nop,nop,TS val 84982128 ecr 84983492], length 0
  14. ^C
  15. 10 packets captured
  16. 12 packets received by filter
  17. 0 packets dropped by kernel

 

範例:11)在特定介面上捕獲來自特定目的 IP 的封包

語法:

  1. #tcpdump-n -i {介面名} dst {IP 地址}
  1. [root@compute-0-1~]#tcpdump-n -i enp0s3 dst 169.144.0.1
  2. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  3. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  4. 23:10:43.520967 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 1439564171:1439564359, ack 3062005550, win 291, options [nop,nop,TS val 85404988 ecr 21390356], length 188
  5. 23:10:43.521441 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 188:408, ack 1, win 291, options [nop,nop,TS val 85404988 ecr 21390359], length 220
  6. 23:10:43.521719 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 408:604, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196
  7. 23:10:43.521993 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 604:800, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196
  8. 23:10:43.522157 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 800:996, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196
  9. 23:10:43.522346 IP 169.144.0.20.ssh>169.144.0.1.39406:Flags[P.], seq 996:1192, ack 1, win 291, options [nop,nop,TS val 85404989 ecr 21390359], length 196
  10. .........................................................................................

 

範例:12)捕獲兩台主機之間的 TCP 封包通訊

假設我想捕獲兩台主機 169.144.0.1 和 169.144.0.20 之間的 TCP 封包,範例如下所示,

  1. [root@compute-0-1~]#tcpdump-w two-host-tcp-comm.pcap -i enp0s3 tcp and (host 169.144.0.1or host 169.144.0.20)

使用 tcpdump 命令只捕獲兩台主機之間的 SSH 封包流,

  1. [root@compute-0-1~]#tcpdump-wssh-comm-two-hosts.pcap -i enp0s3 src 169.144.0.1and port 22and dst 169.144.0.20and port 22

 

範例:13)捕獲兩台主機之間(來回)的 UDP 網路封包

語法:

  1. #tcpdump-w-s -i udp and (host and host )
  1. [root@compute-0-1~]#tcpdump-w two-host-comm.pcap -s 1000-i enp0s3 udp and (host 169.144.0.10and host 169.144.0.20)

 

範例:14)捕獲十六進位制和 ASCII 格式的封包

使用 tcpdump 命令,我們可以以 ASCII 和十六進位制格式捕獲 TCP/IP 封包,

要使用 -A 選項捕獲 ASCII 格式的封包,範例如下所示:

  1. [root@compute-0-1~]#tcpdump-c 10-A -i enp0s3
  2. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  3. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  4. 00:37:10.520060 IP compute-0-1.example.com.ssh>169.144.0.1.39406:Flags[P.], seq 1452637331:1452637519, ack 3062125586, win 333, options [nop,nop,TS val 90591987 ecr 22687106], length 188
  5. E...[root@compute-0-1@...............V.|...T....MT......
  6. .fR..Z-....b.:..Z5...{.'p....]."}...Z..9.?......."root@compute-0-1 <.....V..C.....{,...OKP.2.*...`..-sS..1S...........:.O[.....{G..%ze.Pn.T..N.... ....qB..5...n.....`...:=...[..0....k.....S.:..5!.9..G....!-..'..
  7. 00:37:10.520319 IP 169.144.0.1.39406> compute-0-1.example.com.ssh:Flags[.], ack 188, win 13930, options [nop,nop,TS val 22687109 ecr 90591987], length 0
  8. root@compute-0-1@.|+..............T.V.}O..6j.d.....
  9. .Z-..fR.
  10. 00:37:11.687543 IP controller0.example.com.amqp > compute-0-1.example.com.57800:Flags[.], ack 526624548, win 243, options [nop,nop,TS val 90586768 ecr 90588146], length 0
  11. root@compute-0-1@.!L...
  12. .....(..g....c.$...........
  13. .f>..fC.
  14. 00:37:11.687612 IP compute-0-1.example.com.57800> controller0.example.com.amqp:Flags[.], ack 1, win 237, options [nop,nop,TS val 90593155 ecr 90551716], length 0
  15. root@compute-0-1@..........
  16. ...(.c.$g.......Se.....
  17. .fW..e..
  18. ..................................................................................................................................................

要同時以十六進位制和 ASCII 格式捕獲封包,請使用 -XX 選項。

  1. [root@compute-0-1~]#tcpdump-c 10-XX -i enp0s3
  2. tcpdump: verbose output suppressed,use-v or-vv for full protocol decode
  3. listening on enp0s3,link-type EN10MB (Ethernet), capture size262144 bytes
  4. 00:39:15.124363 IP compute-0-1.example.com.ssh>169.144.0.1.39406:Flags[P.], seq 1452640859:1452641047, ack 3062126346, win 333, options [nop,nop,TS val 90716591 ecr 22718257], length 188
  5. 0x0000:0a0027000000080027f4 f935 08004510..'.....'..5..E.
  6. 0x0010:00f05bc6400040068afc a990 0014 a990 ..[root@compute-0-1@.........
  7. 0x0020:0001001699ee56958a5b b684 570a8018......V..[..W...
  8. 0x0030:014d541800000101080a056839af015a.MT........h9..Z
  9. 0x0040: a731 adb7 58b61a0f2006 df67 c9b6 4479.1..X......g..Dy
  10. 0x0050:19fd2c3d2042331335b9 a160 fa87 d42c ..,=.B3.5..`...,
  11. 0x0060: 89a9 3d7d dfbf 980d 2596 4f2a 99ba c92a ..=}....%.O*...*
  12. 0x0070: 3e1e 7bf7 3af2 a5cc ee4f 10bc 7dfc 630d >.{.:....O..}.c.
  13. 0x0080: 898a 0e16 6825 56c7 b683 1de4 3526 ff04 ....h%V.....5&..
  14. 0x0090: 68d1 4f7d babd 27ba 84ae c5d3 750b 01bd h.O}..'.....u...
  15. 0x00a0: 9c43 e10a 33a6 8df2 a9f0 c052 c7ed 2ff5 .C..3......R../.
  16. 0x00b0: bfb1 ce84 edfc c141 6dad fa19 0702 62a7 .......Am.....b.
  17. 0x00c0: 306c db6b 2eea 824e eea5 acd7 f92e 6de3 0l.k...N......m.
  18. 0x00d0: 85d0 222d f8bf 9051 2c37 93c8 506d 5cb5 .."-...Q,7..Pm.
  19. 0x00e0: 3b4a 2a80 d027 49f2 c996 d2d9 a9eb c1c4 ;J*..'I.........
  20. 0x00f0: 7719 c615 8486 d84c e42d 0ba3 698c w......L.-..i.
  21. 00:39:15.124648 IP 169.144.0.1.39406 > compute-0-1.example.com.ssh: Flags [.], ack 188, win 13971, options [nop,nop,TS val 22718260 ecr 90716591], length 0
  22. 0x0000: 0800 27f4 f935 0a00 2700 0000 0800 4510 ..'..5..'.....E.
  23. 0x0010: 0034 6b70 4000 4006 7c0e a990 0001 a990 root@compute-0-1 @.|.......
  24. 0x0020: 0014 99ee 0016 b684 570a 5695 8b17 8010 ........W.V.....
  25. 0x0030: 3693 7c0e 0000 0101 080a 015a a734 0568 6.|........Z.4.h
  26. 0x0040: 39af
  27. .......................................................................

這就是本文的全部內容,我希望您能了解如何使用 tcpdump 命令捕獲和分析 TCP/IP 封包。請分享你的反饋和評論。

via: https://www.linuxtechi.com/capture-analyze-packets-tcpdump-command-linux/

作者:Pradeep Kumar
選題:lujun9972
譯者:ypingcn
校對:wxy

本文由 LCTT 原創編譯,Linux中國 榮譽推出


相關文章

IT145.com E-mail:sddin#qq.com